Editor’s note:The following is a sponsored blog post from OneTrust.
Today's financial services institutions face a dilemma: they need critical third-party solutions to advance their business, yet the lack of visibility into third and even fourth parties complicates risk management and compliance. Innovation and scale are essential for business growth, but so is staying compliant in a highly regulated environment and mitigating risk to operations, sensitive data and responsible use of AI.
Emerging regulations like the Digital Operational Resilience Act (DORA) aim to improve risk management and enhance overall operational resilience. With the Act set to take effect in January 2025, let's explore what DORA is, the requirements it will impose, and how financial institutions can start preparing for the upcoming deadline.
What Is DORA?
DORA was started by the European Commission in September 2020. It’s the first regulation to oversee the security functions of financial entities across the European Union. DORA presents a unified framework designed to standardize how different types of financial entities manage their information and communication technology (ICT) risks.
DORA joins regulations like NIS2, FCA and LkSG in a broader push for stronger operational resilience. However, it departs from previous regulations in that many companies that weren't previously subject to ICT regulations are now required to comply.
Who Must Comply with the New EU Regulation?
With DORA, the EU is focused on boosting IT security for financial entities. This new regulation doesn’t just impact banks, insurance companies and investment firms across the EU; it also covers the critical ICT vendors that work with these financial institutions.
The framework lists 21 specific types of entities that fall within scope, including but not limited to:
- Credit and payment institutions
- Investment firms
- Account information service providers
- Crypto-asset service providers
- Data reporting service providers
In addition to managing their own risk, financial entities are now also accountable for all downstream risk across their extended networks, including those associated with third, fourth and Nth parties.
Unpacking DORA's Five Core Pillars
DORA aims to strengthen digital operational resilience by focusing on five core pillars. Here’s what’s expected of financial institutions, as well as ICT providers:
- ICT risk management: Establish a set of requirements for the ICT risk management framework, including setting up and maintaining resilient systems and tools to minimize risk.
- ICT-related incident reporting: Establish and implement a management process for monitoring, logging, classifying and reporting ICT-related incidents.
- Digital operational resilience testing: Conduct periodic testing for elements within the ICT risk management framework to identify any deficiencies and gaps.
- ICT third-party risk management: Ensure monitoring and management of third-party risk providers, including key contractual provisions.
- Information sharing: Exchange cyber threat information and intelligence to enhance digital operational resilience.
By adhering to these requirements, financial entities can bolster their defenses against the numerous digital threats they face. However, to start on the path to compliance, they must thoroughly evaluate their current procedures, tools and standard practices for ICT risk management, including their use of ICT third-party service providers.
The Road to Compliance
As the deadline for DORA compliance nears, financial entities are focusing on boosting their digital resilience to meet the new requirements.
Risk and security teams are key players in ensuring DORA compliance and building overall operational resilience. Since implementing DORA compliance can be quite complex to navigate, a third-party management (TPM) platform is recommended.
A TPM platform can help spot and evaluate all relevant ICT risks, as well as risks posed by third and fourth parties and beyond. Learn more about how you can leverage TPM to streamline DORA compliance.